gss: Add way to set authenticator authz-data

Now we can set Authenticator authorization-data with gss_set_name_attribute().
2022-01-07 15:55:15 -06:00
parent fe11481cc5
commit c2e3c5b66e
8 changed files with 159 additions and 3 deletions
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -33,6 +33,12 @@

 #include "gsskrb5_locl.h"

+static OM_uint32
+gsskrb5_set_authorization_data(OM_uint32 *,
+                               krb5_context,
+                               krb5_auth_context,
+                               gss_const_name_t);
+
 /*
 * copy the addresses from `input_chan_bindings' (if any) to
 * the auth context `ac'
@@ -418,6 +424,11 @@ init_auth
    if (ret)
 	goto failure;

+    ret = gsskrb5_set_authorization_data(minor_status, context,
+                                         ctx->auth_context, name);
+    if (ret)
+	goto failure;
+
    ctx->endtime = ctx->kcred->times.endtime;

    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
@@ -977,3 +988,31 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
    return ret;

 }
+
+static OM_uint32
+gsskrb5_set_authorization_data(OM_uint32 *minor_status,
+                               krb5_context context,
+                               krb5_auth_context auth_context,
+                               gss_const_name_t gn)
+{
+    const CompositePrincipal *name = (const void *)gn;
+    AuthorizationData *ad;
+    krb5_error_code kret = 0;
+    size_t i;
+
+    if (name->nameattrs == NULL || name->nameattrs->want_ad == NULL)
+        return GSS_S_COMPLETE;
+
+    ad = name->nameattrs->want_ad;
+    for (i = 0; kret == 0 && i < ad->len; i++) {
+        kret = krb5_auth_con_add_AuthorizationData(context, auth_context,
+                                                   ad->val[0].ad_type,
+                                                   &ad->val[0].ad_data);
+    }
+
+    if (kret) {
+        *minor_status = kret;
+        return GSS_S_FAILURE;
+    }
+    return GSS_S_COMPLETE;
+}